Is it a bad idea to use an email address as a salt for a password?
+3
A:
If e-mail address never changes than it's fine. I prefer a random salt myself since this is information no one knows. If someone knows your way the salt is done and got the hash and got the hash method you use than he can generate list of hashes based on that e-mail to retrieve to original password. I doubt someone goes trough all this effort unless it's a really important application
Mark Baijens
2010-09-24 13:08:54
I am making an online banking application - just kidding
Starlin
2010-09-24 13:21:46
Yeah you can never get an application completely secure. You should make your application so secure that it would take a hacker to much time for the result he gets back from it (probably a bit more secure since technology improves and it gets easier for hackers to hack with new technologies). Obviously this is more for a pentagon application as a web forum :P
Mark Baijens
2010-09-24 13:30:03
+3
A:
To increase security, it would be better to use a random salt. Email addresses can be found out quite easily, thus reducing the effectiveness of the salt. (Clarified in comments)
keyboardP
2010-09-24 13:10:10
The salt is designed to make brute forcing and using a rainbow table more difficult if the database was compromised... so I don't understand your point
Starlin
2010-09-24 13:14:40
The salt is designed to make rainbow tables unusable in the first place. But yes, it can hinder brute force too. Though for the strong password it's negligible. It's better to count that salt has been compromised. And, you know... speaking of such things, while 99% of applications sending passwords as a plain text over net, is funny
Col. Shrapnel
2010-09-24 13:18:31
I too don't understand your point keyboardP - Salt is designed to protect against attacks where the attacker already knows what the salt is.
Kragen
2010-09-24 13:22:10
Sorry, I should've been clearer. Yes, the salt complexity is irrelevant because dangerous access to that would assume access to the database. However, I personally believe in trying to make security as tight as possible. A lot of sites use the same hashing techniques. Now lets say they all use email addresses as salts. Constructing one rainbow table, regardless of how long it takes, will effectively break the security on multiple databases. It may be unlikely for trivial sites, but is it really that much more work to add a random salt?
keyboardP
2010-09-24 13:35:35
Yeah the same just came to my mind. Nothing bad in slightly better security. Although the rest of site is 1000 times more vulnerable than these hashes...
Col. Shrapnel
2010-09-24 18:54:58
True, security is only as strong as its weakest link. Still, deciding what constitutes as your salt isn't going to require a massive architectural redesign, so there's no need to fall into unneccessary practice IMO.
keyboardP
2010-09-24 19:19:56
+9
A:
You could use the user's login name as a salt which might be less likely to change than an e-mail address (EDIT: 0xA3 correctly pointed out, this is less secure than using the e-mail address because login names tend to be easier to guess, and some are quite commonly used such that rainbow tables may already exist for them, or could be reused for other sites).
Alternatively, have a database column where you save the salt for the password.
But then, you could as well use a random user-specific salt just as well which is harder to guess.
For better security, you could use two salts: A user-specific one and a system-wide one (concat them, then hash the salts with the password).
By the way, simple concatenation of salt and passwords might be less secure than using HMAC. In PHP 5, there's the hash_hmac() function you can use for this:
$salt = $systemSalt.$userSalt;
hash_hmac('sha1', $password, $salt);
EDIT: Rationale for a system-wide salt: It can and should be stored outside the database (but back it up. You won't be able to authenticate your users if you lose it). If an attacker somehow gets to read your database records, he still cannot effectively crack your password hashes until he knows the system-wide salt.
EDIT (slightly off-topic):
A further note on the security of password hashes: You might also want to read Why do salts make dictionary attacks 'impossible'? on hashing multiple times for additional protection against brute-forcing and rainbow table attacks (though I think that repeated hashing may introduce additional opportunities for denial-of-service attacks unless you limit the number of login attempts per time).
Archimedix
2010-09-24 13:14:32
Using the login name as a salt is even worse than using the email. It makes pre-computing your rainbow tables easier because there are user names you will find on almost any site. Besides that point I like your approach with using two salts and it would be +1.
0xA3
2010-09-24 13:42:50
+4
A:
I'm not a cryptography expert, however there are 3 things in particular that strike me as possibles issues with this suggestion.
- As Mark points out, the email may change, however the salt needs to remain the same for a given password (otherwise you won't be able to check the validity of the password).
- The size of email addresses is variable, and I imagine that it is important that the salt be larger than a certain size.
- Using an email address makes the salt much more predictable, which is usually a bad thing in cryptography.
I don't know if any of these is an issue or not, however the thing about cryptography is that often nobody knows until someone has devised an exploit (and by then its too late) - so my advice would be to err on the side of caution and not use email addresses as salt.
Kragen
2010-09-24 13:16:13
Note that predictability is a problem for when an attacker target one user. They could generate a rainbow table in advance taking this salt into account and use it to get the user password seconds after breaking in any system using this scheme (they could attack all of them as the same time as they use the same salt and need only one success). From here either they are targeting this system and could immediately fuck the user or they have a password and could try it on another, better protected website/service with the hope that the user keep the same password.
VirtualBlackFox
2010-09-24 13:45:52
+1
A:
As others already mentioned, salt should best be random. The purpose of a salt is to prevent rainbow table attacks using pre-computed hash dictionaries.
Assuming an attacker gets to know the hashed passwords and salts from your database, if the salt is "a74kd%$QaU" and the password is "12345", will he be able to crack it using a rainbow table? No, even if the password is weak, the attacker won't have a pre-computed hash dictionary at hand for your random salt.
If you however use a non-random salt like the user id or email it is somewhat more likely that someone already created a rainbow table for that salt, hoping to find a user with username "john" or the email "[email protected]"1
1WPA security for WLANs uses the SSID of the access point as a salt. Too bad, someone already pre-computed hashes for the most frequent SSID names.
0xA3
2010-09-24 13:24:14
0xA3, such a coinsidence, I am generating a rainbow table now using the salt "[email protected]". I understand your point, but there isn't a person in the world with rainbow tables with the salt "[email protected]". They take far too long to make and require far too much storage space for someone to make such a table... I am however going to go with a random salt, because I realised that there is a chance in the future that the email may need to be changed.
Starlin
2010-09-24 13:31:23
@Starlin: Email addresses might be better than user names or SSID values, but why make things unnecessarily easier to attack? The SSID rainbow tables from the link in my answer were generated in only 3 days and are only 40GB in size. And this is where another point comes into play: The hashing function needs to be slow.
0xA3
2010-09-24 13:40:21
+1
A:
Ophcrack (which is what most attackers would probably use, depending on your encryption function) doesn't contain tables with special characters like '.' or '@' unless you get to the biggest ("extended") tables. So using an email would probably be better than many other salts.
Xodarap
2010-09-24 13:30:33
This is an interesting observation. If you are genuinely concerned about a rainbow table or brute force attack, using a more complex salt would have some benefit.
Freiheit
2010-09-24 13:36:17